How can i know that if my site can be hacked or not ? like sql injection or javascript code
5 1628 pbmods 5,821
Recognized Expert Expert
Changed thread title to better describe the problem.
Alright,
I have known a few hackers and here are the way they can get in.
RFI/LFI (Remote File Inclusion / Local File Inclusion) -
Never include something from an input without securing it first. This can be done by using an easy function I made.
CSS/XSS etc... (Cross site scripting)
Involves an input that is used within html. Used to steal cookies.
Allows them to input html into your site virtually. Again, if you secure those inputs it won't be a problem.
MySQL injection - One of the most common problem - When an unsecured input is processed as a query allowing access to the database. This will also be secured by the function below.
[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , '.' => '' , ',' => '' , '*' => '' , '/' => '' , '@' => '');
$data = strtr($data , $replace);
return $data;
}
[/php]
If you would like me to check your scripts for vulnerabilities I would be glad to. If you secure all your inputs with that function your worries will be over, EXCEPT for certain inputs that you WANT html to be processed in a certain manner.
~Tyler
Can you check this code please that code for Signup page to insert the user into the database : - $userID=addslashes($_POST['userN']); $userID=htmlspecialchars($userID);
-
$passID=addslashes($_POST['passW']); $passID=htmlspecialchars($passID);
-
$CpassID=addslashes($_POST['CpassW']); $CpassID=htmlspecialchars($CpassW);
-
$emailID=addslashes($_POST['email']); $emailID=htmlspecialchars($emailID);
-
$FnameID=addslashes($_POST['Fname']); $FnameID=htmlspecialchars($FnameID);
-
$LnameID=addslashes($_POST['Lname']); $LnameID=htmlspecialchars($LnameID);
-
$genderID=addslashes($_POST['gender']); $genderID=htmlspecialchars($genderID);
-
$CountryID=addslashes($_POST['Country']); $CountryID=htmlspecialchars($CountryID);
-
$phoneID=addslashes($_POST['phone']); $phoneID=htmlspecialchars($phoneID);
-
-
////-----------------------------------------------------paternes
-
$STRINGPATTERN="^[a-zA-Z]{4,15}$";
-
$EMAILPATTERN="^[a-zA-Z]{4,15}[0-9]*[\_\-\.]?[a-zA-Z]*[0-9]*\@[a-zA-Z]{2,10}\.[a-zA-Z]{2,4}$";
-
$NUMBERSPATERN="^[0-9]{7,20}$";
-
$PASSPATTERN="^[a-zA-Z0-9]{7,15}$";
-
//-----------------------------------------------------Check Validation
-
function check_validation($pattern,$input,$message){
-
global $num;
-
if(ereg($pattern,$input)){
-
$GLOBALS['num']+=1;
-
}else{
-
echo "<span class='RED'>".$message."</span><br />";
-
$GLOBALS['num']-=1;
-
}
-
}
-
//-----------------------------------------------------handle errors message
-
function handle_errors($form,$msg,$pattern,$message){
-
if($_POST['register']){
-
if($form==""){
-
echo "<span class='RED'>".$msg."</span><br/>";
-
}else{
-
check_validation($pattern,$form,$message);
-
}
-
-
}
-
}
-
//-----------------------------------------------------Called Functions
-
handle_errors($userID,"Username Field are Required",$STRINGPATTERN,"Sorry, usernames contain only alphabetical characters");
-
-
if($_POST['register']){if($passID=="" || CpassID==""){echo "<span class='RED'>Password Field are Required</span><br />";}else{if($passID!=$CpassID){echo "<span class='RED'>Password field dosen't match</span>";}else{check_validation($PASSPATTERN,$passID,"Sorry, Password only contain numbers,alphabetical characters",$num);}}}
-
-
handle_errors($emailID,"Email Field are Required",$EMAILPATTERN,"write valid email address");
-
-
handle_errors($FnameID,"First Name Field are Required",$STRINGPATTERN,"Sorry, First name contain only alphabetical characters minimum (4)");
-
-
handle_errors($LnameID,"Last Name Field are Required",$STRINGPATTERN,"Sorry, Last name contain only alphabetical characters minimum (4)");
-
-
handle_errors($phoneID,"Phone Field are Required",$NUMBERSPATERN,"Phone contain only numeric characters minimum (7)");
-
//-----------------------------------------------------check if the email and username where found
-
if($GLOBALS['num']==6){
-
include_once("Connections/conection.php");
-
-
$check_user_email=mysql_query("SELECT username FROM users WHERE username='$userID' || mail='$emailID'",$myConnection);
-
$check_user=mysql_query("SELECT username FROM users WHERE username='$userID'",$myConnection);
-
$check_email=mysql_query("SELECT mail FROM users WHERE mail='$emailID'",$myConnection);
-
if(mysql_num_rows($check_user_email)==0){
-
mysql_query("INSERT INTO users(username,Password,mail,firstname,lastname,gender,country,phone) VALUES ('$userID', PASSWORD( '$passID' ),'$emailID','$FnameID','$LnameID','$genderID','$CountryID','$phoneID')",$myConnection);
-
echo "Your have successfully registred your username is : $userID <br />";
-
completeTable("index.php");
-
exit;
-
}else{
-
if(mysql_num_rows($check_email)>=1){
-
echo "<span class='RED'>This email already registered in the database</span><p>";
-
}
-
if(mysql_num_rows($check_user)>=1){
-
echo "<span class='RED'>This username already registered in the database</span>";
-
}
-
}
-
}
pbmods 5,821
Recognized Expert Expert
Heya, smartic.
Thanks for using CODE tags! Did you know that you can specify a language for your CODE tags to make your source code easier to read?
You will still need to use [/code] to close your code blocks, regardless of the language, but you can the use one of these tags to open your code block:
[code=html]
[code=javascript]
[code=php]
and so on.
Thanks!
MODERATOR
How can i know that if my site can be hacked or not ? like sql injection or javascript code
What is the URL of your site?
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Florent |
last post by:
Hi,
I run a few sites and I want to log in my main site database when/if there
is a problem, (like a page not found or an unknown agent).
But I don't want to give direct access to my database to the other sites, so
how could I safely pass data, (without passwords), from one site to another?
Thanks.
Simon
|
by: moondaddy |
last post by:
I've made the decision to use search engine friendly URLs in my site which
means translating stripping all parameters our of the URL and converting it
to a hierarchical URL like this:
Change:
/mysite/default.aspx?MenuID=contactus
To:
/mysite/ContactUs.aspx?
The problem I'm having is that its really slowed things up by at least 0.5
seconds to 1 second longer just to pull up a light weight static page. The
|
by: Brad |
last post by:
I have a win2003 server workstation with multiple webs, each web has it's
own ip address. In VS2005, if I select to open an existing web site, select
Local IIS, the dialog correctly displays a list of all of my webs, however
if I attempt to open a site under and web other than localhost I receive the
message:
"Unable to open the Web 'http://localhost/anywebappname'. The Web
'http://localhost/anywebappname' does not exist"
Obviously...
|
by: HackingPSP |
last post by:
I saw a lot of requests for a program like this, so I wrote it. Yeah,
my site has "PSP software by Auri" but in this case it means "Pretty
Sweet Programming" :) There's both a VS2005 add-in and a standalone app
(separate downloads, you don't need both). This is my second developer
utility this year - my first being the Lorem Ipsum generator from a few
weeks back.
Download and get more info on WebPrecompiler at...
|
by: mike |
last post by:
I help manage a large web site, one that has over
600 html pages... It's a reference site for ham radio
folks and as an example, one page indexes over
1.8 gb of on-line PDF documents.
The site is structured as an upside-down tree, and
(if I remember correctly) never more than 4 levels.
The site basically grew (like the creeping black blob) ...
all the pages were created in Notepad over the last
| |
by: DBLWizard |
last post by:
Howdy All,
Is it possible to have Visual Studio 2005 create a project form an
existing hosted website? In other words I want to be able connect via
ftp to my website structure and have it pull down all the files and
create a local project from it?
I know things like DreamWeaver will do this ... and I have been poking
around VS 2005 and haven't seen anything that jumps out at me.
|
by: Ben Sehara |
last post by:
Is there any way I can limit the access to my website? I have a site "A" and
I want to allow access to it only from site "B" login user.
If someone try to access site "A" directory, I want it redirected to site
"B" for login. After login at site "B", you see the link to site"A". When
you click it, you see login page for site "A".
Is it possible?
Thanks.
|
by: smartic |
last post by:
i need to know are my site is secure or not can any one test my site thx.
<Link removed>
|
by: John Kotuby |
last post by:
Hi all,
Within an IFRAME of a standard site constructed of mostly static HTM type
pages, I am calling up one page from a large ASP.NET 3.5 site. I have
precompiled the ASP.NET site and published. "Allow precompiled site to be
updateable" is NOT checked. "Enable strong naming on precompiled assemblies"
is NOT checked. However, "Use fixed naming and single page assemblies" IS
checked. I did with the idea that if I call a single page from...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |